Arietis Health Pays $2.8 Million to Resolve MOVEit Data Breach Lawsuit

March 2, 2025HIPAA News0

Arietis Health agreed to a $2.8 million settlement to resolve a class action lawsuit associated with a hacking incident in 2023 that affected the protected health information (PHI) of 1,975,066 people.

Billing services provider Arietis Health was one of approximately 2,300 companies, including HIPAA-covered entities, that were impacted by the zero-day vulnerability exploitation in the MOVEit Transfer solution of Progress Software at the end of May 2023. Arietis Health utilized the file transfer software to transmit big files that contain patient data. The Clop ransomware group exploited the vulnerability, accessed the Arietis Health MOVEit system from May 28 to May 31, 2024, and extracted data from that system.

The data breach at Arietis Health affected the patient information from about 54 healthcare companies associated with NorthStar Anesthesia. The breached data included patient names, addresses, birth dates, driver’s license or other state ID card numbers, Social Security numbers, patient account numbers, health record numbers, medical insurance data, diagnosis and treatment details, clinical and prescription data, and/or provider details.

People impacted by the data breach filed a lawsuit against Arietis Health because of the data breach claiming negligence for not implementing reasonable and proper data security procedures. Arietis Health opted to resolve the lawsuit to prevent the problems and expenses relating to the litigation, without admitting any liability or wrongdoing. Based on the conditions of the settlement, Arietis Health is going to spend $2,800,000 for the settlement fund to pay for class members’ claims. The settlement fund will additionally pay for attorneys’ costs, likely to be 33% of that amount, plus legal fees and expenditures.

Class members can file claims up to $5,000 per person to take care of recorded, unreimbursed expenditures that were likely sustained because of the data breach, and up to 4 hours of lost time worth $25 per hour. Arietis Health will also provide class members with identity theft protection and credit monitoring services paid for up to four years.

The last day for filing exclusion from and objection to the settlement is March 4, 2025. Claims should be submitted on or before April 3, 2025. The court has given preliminary approval of the settlement and the schedule of the final approval hearing is April 3, 2025.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.